Google has launched emergency updates to patch one other Chrome zero-day vulnerability exploited in assaults, marking the fourth such flaw mounted for the reason that begin of the 12 months.
“Google is conscious that an exploit for CVE-2025-6554 exists within the wild,” the browser vendor stated in a safety advisoryissued on Monday. “This difficulty was mitigated on 2025-06-26 by a configuration change pushed out to Steady channel throughout all platforms.”
The corporate mounted the zero-day for customers within the Steady Desktop channel, with new variations rolling out worldwide to Home windows (138.0.7204.96/.97), Mac (138.0.7204.92/.93), and Linux customers (138.0.7204.96) in the future after the problem was reported to Google.
The bug was found by Clément Lecigne of Google’s Menace Evaluation Group (TAG), a collective of safety researchers centered on defending Google clients from state-sponsored and different comparable assaults.
Google TAG ceaselessly discovers zero-day exploits deployed by government-sponsored risk actors in focused assaults to contaminate high-risk people, together with opposition politicians, dissidents, and journalists, with adware.
Though the safety updates patching CVE-2025-6554 may take days or perhaps weeks to succeed in all customers, in response to Google, they have been instantly accessible when BleepingComputer checked for updates earlier as we speak.
Customers preferring to not replace manually can even depend on their internet browser to mechanically verify for brand spanking new updates and set up them after the subsequent launch.
The zero-day bug mounted as we speak is a high-severity kind confusion weak spot within the Chrome V8 JavaScript engine. Whereas such flaws usually result in browser crashes after profitable exploitation by studying or writing reminiscence out of buffer bounds, attackers can even exploit them to execute arbitrary code on unpatched units.
Though Google acknowledged that this vulnerability was exploited within the wild, the corporate has but to share technical particulars or further info concerning these assaults.
“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair. We may also retain restrictions if the bug exists in a 3rd celebration library that different tasks equally rely on, however have not but mounted,” Google stated.
That is the fourth actively exploited Google Chrome zero-day mounted for the reason that begin of the 12 months, with three extra patched in March, Could, and June.
The primary, a high-severity sandbox escape flaw (CVE-2025-2783) reported by Kaspersky’s Boris Larin and Igor Kuznetsov, was used in espionage assaults concentrating on Russian authorities organizations and media retailers with malware.
Google launched one other set of emergency safety updates in Could to deal with a Chrome zero-day (CVE-2025-4664) that may enable attackers to hijack accounts. One month later, the corporate addressed an out-of-bounds learn and write weak spot in Chrome’s V8 JavaScript engine found by Google TAG’s Benoît Sevens and Clément Lecigne.
In 2024, Google patched a complete of 10 zero-day vulnerabilities that have been both exploited in assaults or demoed throughout Pwn2Own hacking competitions.
Whereas cloud assaults could also be rising extra subtle, attackers nonetheless succeed with surprisingly easy strategies.
Drawing from Wiz’s detections throughout hundreds of organizations, this report reveals 8 key strategies utilized by cloud-fluent risk actors.
